Protecting Children Online: EDPB Weighs in on Age Assurance Methods

On February 11, 2025, the European Data Protection Board (“EDPB”) issued a statement outlining its expectations for aligning the proliferating use of age assurance checks with the GDPR (the “Statement”). Aiming to promote a harmonized approach across the EU, the Statement provides guidance and high-level principles for online service providers (“Service Providers”). It emphasizes the need to consider the best interests of the child—whether in terms of data protection, safeguarding from harm, or broader welfare—while ensuring compatibility more widely with all individuals’ fundamental rights and freedoms, including those relating to privacy, non-discrimination, integrity and free speech.

Background
As part of broader efforts to safeguard children in an increasingly online world, policymakers are placing greater demands on digital service providers to incorporate age assurance —whether through verification or estimation—before allowing users to access their platforms. In the EU, the Digital Services Act identifies age verification as a targeted measure that very large online platforms and search engines can adopt to protect children’s rights. In the UK, the Online Safety Act (“OSA”) effectively requires many online user-to-user and search service providers to implement “highly effective” age assurance methods. Meanwhile, under the GDPR, age assurance is required under certain circumstances to determine whether parental consent is necessary.

The UK data protection regulator (the Information Commissioner’s Office, or “ICO”) set out its expectations around age assurance first in 2020 as part of the Age Appropriate Design Code, and then later with its updated guidance specifically addressing how age assurance should be used as part of a balanced, proportionate and risk-based child-protection programme. We have also seen guidance on age assurance from EU data protection regulators, including the French CNIL and the Spanish AEPD, but until this week none from the EDPB. Given the fast evolving digital regulatory landscape, the EDPB seeks to establish a consistent pan-EU approach, proposing principles to reconcile the protection of children and the protection of personal data.

Key takeaways
When designing and implementing any new service or feature, organizations should take stock of the personal data processed and ensure such processing is conducted in accordance with the GDPR. While the Statement does not mandate specific age assurance methods, it reinforces key GDPR principles that organizations must consider when implementing such measures, including purpose limitation, data minimisation, transparency, accuracy and accountability.
Of particular note:

Service Providers should consider conducting risk assessments to ensure a proportionate approach to age assurance. The Statement stresses the need for assessing the necessity and proportionality of using age assurance, and suggests that this could be achieved via (a) a Child Rights Impact Assessment identifying and evaluating the risks that a particular service poses to children (including exposure to harmful contact or content), and (b) a Data Protection Impact Assessment (DPIA). The EDPB reminds organisations that in many cases, given age assurance poses a high risk to the rights and freedoms of data subjects, a DPIA would in any event be mandated. Any DPIA should balance the objective of children’s safety with the rights and freedoms of all users.
The EDPB opines that a service provider would not pass the necessity and proportionality tests when using personal data “to check the age of all their users when accessing all their content or services, even when the content or services are suitable for all audiences and devoid of risk”. Rather than applying age assurance as a blanket measure, organizations should assess the specific need for it based on the nature of their service, and any relevant legal obligations they are subject to.
Users should have access to alternative age verification methods and effective redress mechanisms. Service Providers should consider providing access to alternative age assurance methods. Ensuring multiple verification options helps prevent power imbalances, and maintain accessibility. It also reduces the risk of discrimination against individuals who lack certain forms of identification, such as a mobile phone or official documents. Additionally, Service Provides should put robust redress mechanisms in place to allow users to address inaccuracies, particularly in cases where decisions result from solely automated decision-making (“ADM”).
Service Providers should be transparent. Service Providers must clearly communicate how user data is processed as part of any age assurance method. To ensure the Service Provider’s use of age assurance methods is fair and lawful, they should explain how personal data is used and the implications of such use. Additionally, Service Providers must meet the notice requirements outlined in Articles 13 and 14 of the GDPR. Any transparency information intended for children should be presented in a clear, accessible, and age-appropriate manner.
Service Providers should assess whether the age assurance checks amount to ADM. Under the GDPR, ADM is where a decision is made without meaningful human involvement and produces a legal or similarly significant effect. The Statement emphasizes that the legislator has deliberately opted for a broad definition of ADM that requires examination on a case-by-case basis.
Service Providers should evaluate whether any stage of their age assurance process involves ADM. If so, they must ensure they have a valid legal basis under the GDPR (of which fewer are available for ADM) and provide appropriate remedies and redress. The EDPB also reminds providers that ADM is generally prohibited in relation to children, except in limited circumstances, such as where it is necessary to protect the child’s welfare.

Next steps
Service Providers should carefully evaluate their approach to age assurance, whatever their purpose, to ensure compliance with both EU and UK data protection frameworks. Given the increasingly complex, multilayered, and often overlapping digital regulatory landscape, Service Providers should give consideration to how they can streamline compliance efforts, including the now myriad requirements for child-focused risk assessments.

The post Protecting Children Online: EDPB Weighs in on Age Assurance Methods appeared first on Data, Privacy & Cybersecurity Insights.

Related Content

Trump 2.0 Tech Policy Rundown: Breakneck Pace Continues

Trump 2.0 Tech Policy Rundown: Breakneck Pace Continues

Tips for Maximizing Your Cyber Insurance Program

California Forges a New Path on Automated Decision-Making Technology, Risk Assessments, and Cybersecurity Audits

FTC Issues Long Awaited New COPPA Rules: How They Will Impact Your Business

UK Ransomware Consultation: Government Moves to Rein in Attacks

Trump 2.0 Week 1 Tech Policy Rundown: Pivot on AI but Data Rules Stand

Eleventh Circuit Deals Fatal Blow to the TCPA’s One-to-One Consent Rule

Chambers Global 2025 Recognizes Goodwin Lawyers and Practices as Worldwide Leaders

NinjaOne, LLC to Acquire Dropsuite Limited

Goodwin CLE Week 2025

2024's Most Notable FTC Actions Against Dark Patterns And AI

Novo Holdings Completes $16.5 Billion Acquisition of Catalent

AlloVir and Kalaris Therapeutics to Merge

Best Lawyers Best Law Firms 2025 Names Goodwin Biotechnology and Life Sciences Law Firm of the Year for the Eighth Time and Recognizes 55 Practice Areas

Goodwin Advises HLTH in its Acquisition by Hyve

Data, Privacy & Cybersecurity